Spoofing your IP address using Burp Proxy match and replace
Last updated: August 25, 2022
Read time: 3 Minutes
Burp Proxy allows you to configure match and replace rules that automatically modify your requests and responses while you explore the target application as normal using Burp's browser. This enables you to add, remove, or modify headers in requests or responses, for example.
There are a number of uses for this, including potentially spoofing your IP address. In some cases, this may allow you to trick a server into believing that you belong to its local network, which could enable you to communicate with internal infrastructure that is otherwise inaccessible.
In this tutorial you'll learn how to:
- Set match and replace rules in Burp Suite.
- Use match and replace rules to add a header to your requests.
- Spoof your IP address to compromise a vulnerable server that uses a form of IP-based authentication.
Burp's browser is an easy way to proxy HTTP traffic - even over the encrypted HTTPS protocol. There is no setup required - simply go to the Proxy tab, click Open Browser, and ensure Intercept is off.
Step 1: Open the lab
Open Burp's browser and access the following lab:
Step 2: Attempt to access the admin panel
Try to access the admin panel at
Note that you are prevented from doing so as this is only accessible to local users.
For simplicity, let's assume that you've subsequently identified that the server is using a custom HTTP header,
X-Custom-IP-Authorization, to determine your IP address.
In the wild, the de-facto standard header
X-Forwarded-For is often used for this purpose, but you may encounter websites that use different custom headers. These are normally applied to your requests by an intermediary server, such as a load balancer or other reverse proxy belonging to a CDN, for example.
Step 3: Add a custom match and replace rule
In Burp Suite, go to the Proxy > Options tab.
Under Match and Replace, click Add.
Leave the Match field empty. This ensures that Burp will append a new header to requests rather than replacing an existing one.
In the Replace field, enter the following:
Burp Proxy will now add this header to every request you make in Burp's browser.
Step 4: Try to access the admin panel again
In Burp's browser, try browsing to
/admin again. Observe that you can now access the admin page and delete Carlos to solve the lab.
In Burp, you can confirm that the header was added to your requests by checking them in the Logger tab:
Alternatively, on the Proxy > HTTP history tab, you can use the drop-down menu to toggle between the original request that was sent by the browser, and the modified one that Burp Proxy forwarded to the server.
Although we've manually added a custom header in this case, Burp Suite provides a number of built-in match and replace rules to cover some of the most common use cases. You just need to enable them under Proxy > Options > Match and replace.
Summary and next steps
Congratulations - now you know how to use Burp Proxy's match and replace rules, and have used them to spoof your IP address.
To learn how you could have discovered the custom header we used to solve the lab, check out the learning materials on the Web Security Academy.
For more general information on authentication, as well as other types of attack you can carry out using Burp Suite, see the Authentication topic in the Web Security Academy.
Was this article helpful?
An error occurred, please try again.